def create_repoter(self): main_url = DatabaseType(self.projectTag).getURLfromDB() parse_url = urlparse(main_url) host = parse_url.netloc reportType = CommandLines().cmd().report reportTypes = reportType.split(',') if "doc" in reportTypes or "pdf" in reportTypes or "txt" in reportTypes or "html" in reportTypes: self.log.info(Utils().tellTime() + Utils().getMyWord("{report_creat}")) if "html" in reportTypes: nameHtml = "reports" + os.sep + host + "-" + self.projectTag + ".html" if os.path.exists("reports" + os.sep + "res"): pass else: Utils().copyPath("doc" + os.sep + "template" + os.sep + "html" + os.sep + "res","reports") try: CreatHtml(self.projectTag,nameHtml).CreatMe() self.log.debug("html模板正常") except Exception as e: self.log.error("[Err] %s" % e) if "doc" in reportTypes or "pdf" in reportTypes or "txt" in reportTypes: Docx_replace(self.projectTag).mainReplace() if "doc" in reportTypes: nameDoc = "reports" + os.sep + host + "-" + self.projectTag + ".docx" Docx_replace(self.projectTag).docMove(nameDoc) if "txt" in reportTypes: nameTxt = "reports" + os.sep + host + "-" + self.projectTag + ".txt" CreatTxt(self.projectTag,nameTxt).CreatMe() if "pdf" in reportTypes: namePdf = "reports" + os.sep + host + "-" + self.projectTag + ".pdf" CreatPdf(self.projectTag,namePdf).CreatMe() Docx_replace(self.projectTag).docDel() if "doc" in reportTypes or "pdf" in reportTypes or "txt" in reportTypes or "html" in reportTypes: time.sleep(2) #waiting self.log.info(Utils().tellTime() + Utils().getMyWord("{report_fini}"))
def creatInsideJs(self, tag, host, scriptInside, url): # 生成html的script的文件 try: jsRealPath = url jsFilename = "7777777.script.inside.html.js" #随便来一个 jsTag = Utils().creatTag(6) PATH = "tmp/" + tag + "_" + host + "/" + tag + ".db" conn = sqlite3.connect(os.sep.join(PATH.split('/'))) cursor = conn.cursor() conn.isolation_level = None sql = "insert into js_file(name,path,local) values('%s','%s','%s')" % ( jsFilename, jsRealPath, jsTag + "." + jsFilename) cursor.execute(sql) conn.commit() self.log.info(Utils().tellTime() + Utils().getMyWord("{downloading}") + jsFilename) with open( "tmp" + os.sep + tag + "_" + host + os.sep + jsTag + "." + jsFilename, "wb") as js_file: js_file.write(str.encode(scriptInside)) js_file.close() cursor.execute( "UPDATE js_file SET success = 1 WHERE local='%s';" % (jsTag + "." + jsFilename)) conn.commit() conn.close() except Exception as e: self.log.error("[Err] %s" % e)
def apiComplete(self): self.baseUrlPaths = list(set(self.baseUrlPaths)) # list去重 self.apiPaths = list(set(self.apiPaths)) url = DatabaseType(self.projectTag).getURLfromDB() if "#" in url: # 帮我检测下此处逻辑 url = url.split("#")[0] res = urlparse(url) tmpUrl = res.path.split("/") if "." in tmpUrl[-1]: del tmpUrl[-1] hostURL = res.scheme + "://" + res.netloc + "/" url = res.scheme + "://" + res.netloc + "/".join(tmpUrl) if url[-1:] != "/": url = url + "/" for baseurl in self.baseUrlPaths: for apiPath in self.apiPaths: if baseurl == "/": completeUrl1 = url + apiPath completeUrl2 = hostURL + apiPath self.completeUrls.append(completeUrl1) self.completeUrls.append(completeUrl2) else: completeUrl1 = url + baseurl + apiPath completeUrl2 = hostURL + baseurl + apiPath self.completeUrls.append(completeUrl1) self.completeUrls.append(completeUrl2) self.completeUrls = list(set(self.completeUrls)) for completeUrl in self.completeUrls: if "//" in completeUrl.split("//", 1)[1]: completeUrl = completeUrl.split("//", 1)[0] + "//" + completeUrl.split("//", 1)[1].replace("//", "/") completeApiPath = completeUrl.split("§§§")[0] filePath = completeUrl.split("§§§")[1] DatabaseType(self.projectTag).apiRecordToDB(filePath, completeApiPath) self.log.info(Utils().tellTime() + Utils().getMyWord("{total_api_num}") + str(len(self.completeUrls)))
def checkSpiltingTwice(self, projectPath): self.log.info(Utils().tellTime() + Utils().getMyWord("{check_codesplit_twice}")) for parent, dirnames, filenames in os.walk(projectPath, followlinks=True): for filename in filenames: if filename != self.projectTag + ".db": tmpName = filename.split(".") if len(tmpName) == 4: localFileName = "." + tmpName[-2] + ".js" self.localFileNames.append(localFileName) remotePath = DatabaseType( self.projectTag).getJsUrlFromDB( filename, projectPath) tmpRemotePath = remotePath.split("/") del tmpRemotePath[-1] newRemotePath = "/".join(tmpRemotePath) + "/" self.remotePaths.append(newRemotePath) self.remotePaths = list(set(self.remotePaths)) if len(self.localFileNames) > 3: # 一切随缘 localFileName = self.localFileNames[0] for baseurl in self.remotePaths: tmpRemoteFileURLs = [] res = urlparse(baseurl) i = 0 while i < 500: remoteFileURL = baseurl + str(i) + localFileName i = i + 1 tmpRemoteFileURLs.append(remoteFileURL) GroupBy(tmpRemoteFileURLs, self.options).stat() tmpRemoteFileURLs = GroupBy(tmpRemoteFileURLs, self.options).start() for remoteFileURL in tmpRemoteFileURLs: self.remoteFileURLs.append(remoteFileURL) else: for localFileName in self.localFileNames: for baseurl in self.remotePaths: tmpRemoteFileURLs = [] res = urlparse(baseurl) i = 0 while i < 500: remoteFileURL = baseurl + str(i) + localFileName i = i + 1 tmpRemoteFileURLs.append(remoteFileURL) GroupBy(tmpRemoteFileURLs, self.options).stat() tmpRemoteFileURLs = GroupBy(tmpRemoteFileURLs, self.options).start() for remoteFileURL in tmpRemoteFileURLs: self.remoteFileURLs.append(remoteFileURL) if self.remoteFileURLs != []: self.remoteFileURLs = list(set(self.remoteFileURLs)) # 其实不会重复 self.log.info(Utils().tellTime() + Utils().getMyWord("{check_codesplit_twice_fini_1}") + str(len(self.remoteFileURLs)) + Utils().getMyWord("{check_codesplit_twice_fini_2}")) DownloadJs(self.remoteFileURLs, self.options).downloadJs(self.projectTag, res.netloc, 999) # 999表示爆破
def dealJs(self, js_paths): # 生成js绝对路径 res = urlparse(self.url) # 处理url多余部分 if res.path == "": baseUrl = res.scheme + "://" + res.netloc + "/" else: baseUrl = res.scheme + "://" + res.netloc + res.path if res.path[-1:] != "/": # 文件夹没"/",若输入的是文件也会被加上,但是影响不大 baseUrl = baseUrl + "/" if self.url[-1:] != "/": # 有文件的url tmpPath = res.path.split('/') tmpPath = tmpPath[:] # 防止解析报错 del tmpPath[-1] baseUrl = res.scheme + "://" + res.netloc + "/".join(tmpPath) + "/" for jsPath in js_paths: # 路径处理多种情况./ ../ / http if jsPath[:2] == "./": jsPath = jsPath.replace("./", "") jsRealPath = baseUrl + jsPath self.jsRealPaths.append(jsRealPath) elif jsPath[:3] == "../": dirCount = jsPath.count('../') tmpCount = 1 jsPath = jsPath.replace("../", "") new_tmpPath = tmpPath[:] # 防止解析报错 while tmpCount <= dirCount: del new_tmpPath[-1] tmpCount = tmpCount + 1 baseUrl = res.scheme + "://" + res.netloc + "/".join( new_tmpPath) + "/" jsRealPath = baseUrl + jsPath self.jsRealPaths.append(jsRealPath) elif jsPath[:1] == "/": jsRealPath = res.scheme + "://" + res.netloc + jsPath self.jsRealPaths.append(jsRealPath) elif jsPath[:4] == "http": jsRealPath = jsPath self.jsRealPaths.append(jsRealPath) elif jsPath[:2] == "//": # 自适应域名js jsRealPath = res.scheme + ":" + jsPath self.jsRealPaths.append(jsRealPath) else: #jsRealPath = res.scheme + "://" + res.netloc + "/" + jsPath jsRealPath = baseUrl + jsPath #我感觉我原来的逻辑写错了 self.jsRealPaths.append(jsRealPath) self.log.info(Utils().tellTime() + Utils().getMyWord("{pares_js_fini_1}") + str(len(self.jsRealPaths)) + Utils().getMyWord("{pares_js_fini_2}")) domain = res.netloc if ":" in domain: domain = str(domain).replace(":", "_") DownloadJs(self.jsRealPaths, self.options).downloadJs(self.projectTag, domain, 0) extJS = CommandLines().cmd().js if extJS != None: extJSs = extJS.split(',') DownloadJs(extJSs, self.options).downloadJs(self.projectTag, res.netloc, 0)
def requestUrl(self): headers = self.header url = self.url self.log.info(Utils().tellTime() + Utils().getMyWord("{target_url}") + url) self.log.info(Utils().tellTime() + Utils().getMyWord("{pares_js}")) if self.options.ssl_flag == 1: demo = requests.get(url=url, headers=headers, proxies=self.proxy_data,verify=False).text else: demo = requests.get(url=url, headers=headers,proxies=self.proxy_data,).text demo = demo.replace("<!--", "").replace("-->", "") # 删去html注释 soup = BeautifulSoup(demo, "html.parser") for item in soup.find_all("script"): jsPath = item.get("src") if jsPath: # 处理src空情况 self.jsPaths.append(jsPath) jsPathInScript = item.text #处理script标签里面的js内容 jsPathInScript = jsPathInScript.encode() if jsPathInScript: #self.jsPathInScripts.append(jsPathInScript) jsTag = Utils().creatTag(6) res = urlparse(self.url) domain = res.netloc if ":" in domain: domain = str(domain).split(":")[0] PATH = "tmp/" + self.projectTag + "_" + domain +'/' + self.projectTag + ".db" conn = sqlite3.connect(os.sep.join(PATH.split('/'))) cursor = conn.cursor() conn.isolation_level = None if "#" in self.url: inurl = self.url.split("#")[0] + "/§§§" else: inurl = self.url + "/§§§" sql = "insert into js_file(name,path,local) values('%s','%s','%s')" % (jsTag + ".js" , inurl , jsTag + ".js") cursor.execute(sql) with open("tmp" + os.sep + self.projectTag + "_" + domain + os.sep + jsTag + ".js", "wb") as js_file: js_file.write(jsPathInScript) js_file.close() cursor.execute("UPDATE js_file SET success = 1 WHERE local='%s';" % (jsTag + ".js")) conn.commit() conn.close() for item in soup.find_all("link"): # 防止使用link标签情况 jsPath = item.get("href") if jsPath[-2:] == "js": # 防止提取css self.jsPaths.append(jsPath) try: jsInScript = self.scriptCrawling(demo) self.log.debug("scriptCrawling模块正常") except Exception as e: self.log.error("[Err] %s" % e) for jsPath in jsInScript: self.jsPaths.append(jsPath) try: self.dealJs(self.jsPaths) self.log.debug("dealjs函数正常") except Exception as e: self.log.error("[Err] %s" % e)
def run(self): # target = (url for url in self.urls) self.log.info(Utils().tellTime() + Utils().getMyWord("{response_start}")) nums = len(self.urls) for _ in trange(nums): sleep(0.01) pool = ThreadPoolExecutor(20) allTask = [pool.submit(self.check, domain) for domain in self.urls] wait(allTask, return_when=ALL_COMPLETED) return self.res
def jsCodeCompile(self, jsCode, jsFilePath): try: self.log.info(Utils().tellTime() + Utils().getMyWord("{get_codesplit}")) variable = re.findall(r'\[.\]', jsCode) if "[" and "]" in variable[0]: variable = variable[0].replace("[", "").replace("]", "") jsCodeFunc = "function js_compile(%s){js_url=" % ( variable) + jsCode + "\nreturn js_url}" pattern_jscode = re.compile(r"\(\{\}\[(.*?)\]\|\|.\)", re.DOTALL) flag_code = pattern_jscode.findall(jsCodeFunc) if flag_code: jsCodeFunc = jsCodeFunc.replace( "({}[%s]||%s)" % (flag_code[0], flag_code[0]), flag_code[0]) pattern1 = re.compile(r"\{(.*?)\:") pattern2 = re.compile(r"\,(.*?)\:") nameList1 = pattern1.findall(jsCode) nameList2 = pattern2.findall(jsCode) nameList = nameList1 + nameList2 nameList = list(set(nameList)) projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None localFile = jsFilePath.split(os.sep)[-1] sql = "insert into js_split_tree(jsCode,js_name) values('%s','%s')" % ( jsCode, localFile) cursor.execute(sql) connect.commit() cursor.execute("select id from js_split_tree where js_name='%s'" % (localFile)) jsSplitId = cursor.fetchone()[0] cursor.execute("select path from js_file where local='%s'" % (localFile)) jsUrlPath = cursor.fetchone()[0] connect.close() if "exec" not in jsCode and "spawn" not in jsCode: # 防止黑吃黑被命令执行 jsCompileResult = execjs.compile(jsCodeFunc) for name in nameList: if "\"" in name: name = name.replace("\"", "") if "undefined" not in jsCompileResult.call( "js_compile", name): jsFileName = jsCompileResult.call("js_compile", name) self.jsFileNames.append(jsFileName) self.log.info(Utils().tellTime() + Utils().getMyWord("{run_codesplit_s}") + str(len(self.jsFileNames))) self.getRealFilePath(jsSplitId, self.jsFileNames, jsUrlPath) self.log.debug("jscodecomplie模块正常") except Exception as e: self.log.error("[Err] %s" % e) # 这块有问题,逻辑要改进 return 0
def checkCodeSpilting(self, jsFilePath): jsOpen = open(jsFilePath, 'r', encoding='UTF-8',errors="ignore") # 防编码报错 jsFile = jsOpen.readlines() jsFile = str(jsFile) # 二次转换防报错 if "document.createElement(\"script\");" in jsFile: self.log.info(Utils().tellTime() + Utils().getMyWord("{maybe_have_codesplit}") + Utils().getFilename(jsFilePath)) pattern = re.compile(r"\w\.p\+(.*?)\.js", re.DOTALL) jsCodeList = pattern.findall(jsFile) for jsCode in jsCodeList: jsCode = jsCode + ".js\"" self.jsCodeCompile(jsCode, jsFilePath)
def recoverStart(self): projectPath = DatabaseType(self.projectTag).getPathfromDB() for parent, dirnames, filenames in os.walk(projectPath, followlinks=True): for filename in filenames: if filename != self.projectTag + ".db": filePath = os.path.join(parent, filename) self.checkCodeSpilting(filePath) try: self.checkSpiltingTwice(projectPath) self.log.debug("checkSpiltingTwice模块正常") except Exception as e: self.log.error("[Err] %s" % e) self.log.info(Utils().tellTime() + Utils().getMyWord("{check_js_fini}"))
def jsBlacklist(self): newList = self.jsRealPaths[:] # 防止遍历不全 for jsRealPath in newList: # 遍历js路径 res = urlparse(jsRealPath) jsRealPathDomain = res.netloc.lower() # js的主域名 jsRealPathFilename = Utils().getFilename( jsRealPath).lower() # 获取js名称 for blacklistDomain in self.blacklist_domains.split( ","): # 遍历黑名单列表 if blacklistDomain in jsRealPathDomain: flag = 1 break else: flag = 0 if flag: # 判断js路径中是否存在黑名单 self.jsRealPaths.remove(jsRealPath) # 如果有就进行删除 for blacklistFilename in self.blacklistFilenames.split(","): if blacklistFilename in jsRealPathFilename: flag = 1 break else: flag = 0 if flag: if jsRealPath in self.jsRealPaths: self.jsRealPaths.remove(jsRealPath) return self.jsRealPaths
def run(self): if self.options.cookie != None: header = { 'User-Agent': random.choice(self.UserAgent), 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Cookie': self.options.cookie, self.options.head.split(':')[0]: self.options.head.split(':')[1] } else: header = { 'User-Agent': random.choice(self.UserAgent), 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', self.options.head.split(':')[0]: self.options.head.split(':')[1] } proxy_data = { 'http': self.options.proxy, 'https': self.options.proxy, } testWeb = requests.get(self.options.url, proxies=proxy_data, headers=header, timeout=7).text.strip() for ban in self.ban_title: if ban in testWeb: print( Utils().tellTime() + "After a SaoCaoZuo your IP seems to be blocked by GeZhong 666666 de WAF !" )
def getRealFilePath(self, jsSplitId, jsFileNames, jsUrlpath): # 我是没见过webpack异步加载的js和放异步的js不在同一个目录下的,这版先不管不同目录的情况吧 jsRealPaths = [] res = urlparse(jsUrlpath) if "§§§" in jsUrlpath: # html中script情況 jsUrlpath = jsUrlpath.split('§§§')[0] tmpUrl = jsUrlpath.split("/") if "." in tmpUrl[-1]: del tmpUrl[-1] base_url = "/".join(tmpUrl) for jsFileName in jsFileNames: jsFileName = base_url + jsFileName jsRealPaths.append(jsFileName) else: tmpUrl = jsUrlpath.split("/") del tmpUrl[-1] base_url = "/".join(tmpUrl) + "/" for jsFileName in jsFileNames: jsFileName = Utils().getFilename(jsFileName) # 获取js名称 jsFileName = base_url + jsFileName jsRealPaths.append(jsFileName) try: DownloadJs(jsRealPaths,self.options).downloadJs(self.projectTag, res.netloc, jsSplitId) self.log.debug("downjs功能正常") except Exception as e: self.log.error("[Err] %s" % e)
def RandomBanner(): # BannerList = [Banner1,Banner2,Banner3,Banner4] if CommandLines().cmd().silent == None: print(Banner7) print("©2021 Poc-Sir、KpLi0rn、Liucy、RachesseHS、Lupin-III") print("Project Hub: https://github.com/rtcatc/Packer-Fuzzer") print(Utils().getMyWord("{xhlj}") + "\n")
def testProxy(options, show): try: url = "http://ifconfig.me/ip" proxy_data = { 'http': options.proxy, 'https': options.proxy, } ipAddr = "127.0.0.1" ipAddr = requests.get(url, proxies=proxy_data, timeout=7, verify=False).text.strip() if show == 1: print("[+] " + Utils().getMyWord("{connect_s}") + ipAddr) return ipAddr except: if show == 1: print("[!] " + Utils().getMyWord("{connect_f}")) return ipAddr
def apiViolentCollect(self, filePath): violentRe = r'(?isu)"([^"]+)' with open(filePath, "r", encoding="utf-8",errors="ignore") as jsPath: print(Utils().tellTime() + Utils().getMyWord("{api_violent_file}") + Utils().getFilename(filePath)) apiStr = jsPath.read() apiLists = re.findall(violentRe, apiStr) for apiPath in apiLists: if apiPath != '' and '/' in apiPath and apiPath != "/": for apiExt in self.apiExts.split(","): if apiExt not in apiPath: flag = 1 else: flag = 0 break if flag: if "?" in apiPath: apiPath = apiPath.split("?")[0] self.apiPaths.append(apiPath + "§§§" + filePath) else: self.apiPaths.append(apiPath + "§§§" + filePath)
def testProxy(options, show): try: # url = "http://ifconfig.me/ip" 这节点居然不能用了... # url = "https://api.my-ip.io/ip" 备用一个 Backup url = "http://api.ipify.org/?format=txt" proxy_data = { 'http': options.proxy, 'https': options.proxy, } ipAddr = "127.0.0.1" ipAddr = requests.get(url, proxies=proxy_data, timeout=7, verify=False).text.strip() if show == 1: if options.silent == None: print("[+] " + Utils().getMyWord("{connect_s}") + ipAddr) return ipAddr except: if show == 1: if options.silent == None: print("[!] " + Utils().getMyWord("{connect_f}")) return ipAddr
def downloadJs(self, tag, host, spiltId): # 下载js文件 if self.options.cookie != None: header = { 'User-Agent': random.choice(self.UserAgent), 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Cookie': self.options.cookie, self.options.head.split(':')[0]: self.options.head.split(':')[1] } else: header = { 'User-Agent': random.choice(self.UserAgent), 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', self.options.head.split(':')[0]: self.options.head.split(':')[1] } self.jsRealPaths = list(set(self.jsRealPaths))# list清单去重 try: self.jsRealPaths = self.jsBlacklist() # 不能放for循环内 self.log.debug("js黑名单函数正常") except Exception as e: self.log.error("[Err] %s" % e) for jsRealPath in self.jsRealPaths: jsFilename = Utils().getFilename(jsRealPath) jsTag = Utils().creatTag(6) PATH = "tmp/" + tag + "_" + host + "/" + tag + ".db" conn = sqlite3.connect(os.sep.join(PATH.split('/'))) cursor = conn.cursor() conn.isolation_level = None checkSql = "select * from js_file where name = '" + jsFilename + "'" if spiltId == 0: sql = "insert into js_file(name,path,local) values('%s','%s','%s')" % ( jsFilename, jsRealPath, jsTag + "." + jsFilename) else: sql = "insert into js_file(name,path,local,spilt) values('%s','%s','%s',%d)" % ( jsFilename, jsRealPath, jsTag + "." + jsFilename, spiltId) cursor.execute(checkSql) res = cursor.fetchall() if len(res) > 0: self.log.info(Utils().tellTime() + Utils().getMyWord("{have_it}") + jsFilename) conn.close() else: cursor.execute(sql) conn.commit() # headers = { # "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0"} self.log.info(Utils().tellTime() + Utils().getMyWord("{downloading}") + jsFilename) sslFlag = int(self.options.ssl_flag) if sslFlag == 1: jsFileData = requests.get(url=jsRealPath, headers=header, proxies=self.proxy_data, verify=False).content else: jsFileData = requests.get(url=jsRealPath, proxies=self.proxy_data, headers=header).content with open("tmp" + os.sep + tag + "_" + host + os.sep + jsTag + "." + jsFilename, "wb") as js_file: js_file.write(jsFileData) js_file.close() cursor.execute("UPDATE js_file SET success = 1 WHERE local='%s';" % (jsTag + "." + jsFilename)) conn.commit() conn.close()
def baseUrlDevelop(self): # print(", ".join(output)) 要改进压缩在一起并输入在log内 if CommandLines().cmd().baseurl == None: if len(self.baseUrlPaths) > 3: if self.options.silent != None: self.baseUrlPaths = self.baseUrlPaths[:2] else: if len(self.baseUrlPaths) > 7: self.baseUrlPaths = self.baseUrlPaths[:7] creatLog().get_logger().info(Utils().tellTime() + Utils().getMyWord("{base_dir_list}")) print(", ".join(self.baseUrlPaths)) creatLog().get_logger().info(Utils().tellTime() + Utils().getMyWord("{api_top5_list}")) output = [] for api in self.apiPaths[:5]: if "§§§" in api: api = api.split("§§§")[0] output.append(api) else: output.append(api) print(", ".join(output)) baseurls = input("[!] " + Utils().getMyWord("{new_base_dir}")) if "," in baseurls: base = baseurls.split(",") else: base = baseurls self.baseUrlPaths.clear() #直接清除重置 for baseurl in base: if baseurl not in self.baseUrlPaths: self.baseUrlPaths.append(baseurl) elif len(self.baseUrlPaths) < 3: creatLog().get_logger().info(Utils().tellTime() + Utils().getMyWord("{base_dir_list}")) print(", ".join(self.baseUrlPaths)) creatLog().get_logger().info(Utils().tellTime() + Utils().getMyWord("{api_top5_list}")) output = [] for api in self.apiPaths[:5]: if "§§§" in api: api = api.split("§§§")[0] output.append(api) else: output.append(api) print(", ".join(output))
def apireCoverStart(self): projectPath = DatabaseType(self.projectTag).getPathfromDB() # projectPath = "tmp/_/" for parent, dirnames, filenames in os.walk(projectPath, followlinks=True): for filename in filenames: if filename != self.projectTag + ".db": filePath = os.path.join(parent, filename) try: self.apiCollect(filePath) self.getBaseurl(filePath) self.log.debug("api收集和baseurl提取成功") except Exception as e: self.log.error("[Err] %s" % e) if len(self.apiPaths) < 30: # 提取结果过少时暴力破解 self.log.info(Utils().tellTime() + Utils().getMyWord("{total_api_auto}")) for parent, dirnames, filenames in os.walk(projectPath, followlinks=True): for filename in filenames: if filename != self.projectTag + ".db": filePath = os.path.join(parent, filename) try: self.apiViolentCollect(filePath) self.log.debug("自动api暴力提取模块正常") except Exception as e: self.log.error("[Err] %s" % e) else: self.log.info(Utils().tellTime() + Utils().getMyWord("{total_api_1}") + str(len(self.apiPaths)) + Utils().getMyWord("{total_api_2}")) if self.options.silent != None: open_violent = "Y" else: open_violent = input(Utils().tellTime() + Utils().getMyWord("{open_violent_input}")) if open_violent == "Y" or open_violent == "y": for parent, dirnames, filenames in os.walk(projectPath, followlinks=True): for filename in filenames: if filename != self.projectTag + ".db": filePath = os.path.join(parent, filename) try: self.apiViolentCollect(filePath) self.log.debug("手动api暴力提取模块正常") except Exception as e: self.log.error("[Err] %s" % e) self.apiComplete()
def advtestStart(self, options): try: self.log.info(Utils().tellTime() + Utils().getMyWord("{password_test}")) passwordtest = PasswordTest(self.projectTag) passwordtest.passwordTest() passwordtest.vulntestStart(options) self.log.debug("passwordTest模块正常") except Exception as e: self.log.error("[Err] %s" % e) # 水平越权 ok try: self.log.info(Utils().tellTime() + Utils().getMyWord("{bac_test}")) bactest = BacTest(self.projectTag, self.options) bactest.bacTest() self.log.debug("BacTest模块正常") except Exception as e: self.log.error("[Err] %s" % e) # 文件上传 fuzz 检测模块 try: self.log.info(Utils().tellTime() + Utils().getMyWord("{upload_test}")) uploadtest = UploadTest(self.projectTag, self.options) uploadtest.uploadTest() self.log.debug("UploadTest模块正常") except Exception as e: self.log.error("[Err] %s" % e) # sql注入检测模块 try: self.log.info(Utils().tellTime() + Utils().getMyWord("{sql_test}")) sqltest = SqlTest(self.projectTag, self.options) sqltest.sqlTest() self.log.debug("SqlTest模块正常") except Exception as e: self.log.error("[Err] %s" % e)
def testStart(self, url): self.log.info(Utils().tellTime() + Utils().getMyWord("{unauth_test}")) try: UnAuthTest(self.projectTag).apiUnAuthTest() self.log.debug("UnAuthTest模块正常") except Exception as e: self.log.error("[Err] %s" % e) self.log.info(Utils().tellTime() + Utils().getMyWord("{info_test}")) try: InfoTest(self.projectTag).startInfoTest() self.log.debug("InfoTest模块正常") except Exception as e: self.log.error("[Err] %s" % e) self.log.info(Utils().tellTime() + Utils().getMyWord("{cors_test}")) try: cors = CorsTest(url, self.options) cors.testStart() if cors.flag == 1: DatabaseType(self.projectTag).insertCorsInfoIntoDB( cors.header, cors.res) self.log.debug("CorsTest模块正常") except Exception as e: self.log.error("[Err] %s" % e)
def parseStart(self): projectTag = logs if self.options.silent != None: print("[TAG]" + projectTag) DatabaseType(projectTag).createDatabase() ParseJs(projectTag, self.url, self.options).parseJsStart() path_log = os.path.abspath(log_name) path_db = os.path.abspath( DatabaseType(projectTag).getPathfromDB() + projectTag + ".db") creatLog().get_logger().info("[!] " + Utils().getMyWord("{db_path}") + path_db) #显示数据库文件路径 creatLog().get_logger().info("[!] " + Utils().getMyWord("{log_path}") + path_log) #显示log文件路径 checkResult = CheckPacker(projectTag, self.url, self.options).checkStart() if checkResult == 1 or checkResult == 777: #打包器检测模块 if checkResult != 777: #确保检测报错也能运行 creatLog().get_logger().info( "[!] " + Utils().getMyWord("{check_pack_s}")) RecoverSpilt(projectTag, self.options).recoverStart() else: creatLog().get_logger().info("[!] " + Utils().getMyWord("{check_pack_f}")) Apicollect(projectTag, self.options).apireCoverStart() apis = DatabaseType(projectTag).apiPathFromDB() # 从数据库中提取出来的api self.codes = ApiResponse(apis, self.options).run() DatabaseType(projectTag).insertResultFrom(self.codes) getPaths = DatabaseType(projectTag).sucesssPathFromDB() # 获取get请求的path getTexts = ApiText(getPaths, self.options).run() # 对get请求进行一个获取返回包 postMethod = DatabaseType( projectTag).wrongMethodFromDB() # 获取post请求的path if len(postMethod) != 0: postText = PostApiText(postMethod, self.options).run() DatabaseType(projectTag).insertTextFromDB(postText) DatabaseType(projectTag).insertTextFromDB(getTexts) if self.options.type == "adv": creatLog().get_logger().info("[!] " + Utils().getMyWord("{adv_start}")) creatLog().get_logger().info(Utils().tellTime() + Utils().getMyWord("{beauty_js}")) BeautyJs(projectTag).rewrite_js() creatLog().get_logger().info(Utils().tellTime() + Utils().getMyWord("{fuzzer_param}")) FuzzerParam(projectTag).FuzzerCollect() creatLog().get_logger().info(Utils().tellTime() + Utils().getMyWord("{response_end}")) vulnTest(projectTag, self.options).testStart(self.url) if self.options.type == "adv": vulnTest(projectTag, self.options).advtestStart(self.options) if self.options.ext == "on": creatLog().get_logger().info("[+] " + Utils().getMyWord("{ext_start}")) loadExtensions(projectTag, self.options).runExt() creatLog().get_logger().info("[-] " + Utils().getMyWord("{ext_end}")) vuln_num = Docx_replace(projectTag).vuln_judge() co_vuln_num = vuln_num[1] + vuln_num[2] + vuln_num[3] creatLog().get_logger().info( "[!] " + Utils().getMyWord("{co_discovery}") + str(co_vuln_num) + Utils().getMyWord("{effective_vuln}") + ": " + Utils().getMyWord("{r_l_h}") + str(vuln_num[1]) + Utils().getMyWord("{ge}") + ", " + Utils().getMyWord("{r_l_m}") + str(vuln_num[2]) + Utils().getMyWord("{ge}") + ", " + Utils().getMyWord("{r_l_l}") + str(vuln_num[3]) + Utils().getMyWord("{ge}")) CreateReport(projectTag).create_repoter() creatLog().get_logger().info("[-] " + Utils().getMyWord("{all_end}"))
def creat_api(self, document): para1 = Creat_api(self.projectTag).locat_api(document) projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select * from api_tree" cursor.execute(sql) api_infos = cursor.fetchall() for api_info in api_infos: if api_info[5] == 1 or api_info[5] == 2: para2 = para1.insert_paragraph_before("") api_path = api_info[1] sql = "select path from js_file where id='%s'" % (api_info[6]) cursor.execute(sql) js_paths = cursor.fetchall() for js_path in js_paths: run2 = para2.add_run(Utils().getMyWord("{r_api_addr}") + "\n") run2.font.name = "Arial" run2.font.size = Pt(11) run2.font.bold = True run3 = para2.add_run(api_path) run3.font.name = "Arial" run3.font.size = Pt(11) run4 = para2.add_run("\n" + Utils().getMyWord("{r_api_r_js}") + "\n") run4.font.name = "Arial" run4.font.size = Pt(11) run4.font.bold = True run5 = para2.add_run(js_path[0]) run5.font.name = "Arial" run5.font.size = Pt(11) run6 = para2.add_run("\n" + Utils().getMyWord("{r_api_res}") + "") run6.font.name = "Arial" run6.font.size = Pt(11) run6.font.bold = True try: if api_info[4] == None: api_info1 = "\" \"" api_info_unicode = json.dumps( json.loads(api_info1), sort_keys=True, indent=4, ensure_ascii=False) Creat_api(self.projectTag).creat_table( document, api_info_unicode, para2) else: api_info_unicode = json.dumps(json.loads( api_info[4]), sort_keys=True, indent=4, ensure_ascii=False) Creat_api(self.projectTag).creat_table( document, api_info_unicode, para2) self.log.debug("api_info正常") except Exception as e: if api_info[4] == None: api_info1 = "\" \"" Creat_api(self.projectTag).creat_table( document, api_info1, para2) else: Creat_api(self.projectTag).creat_table( document, api_info[4], para2) self.log.error("[Err] %s" % e)
def docxReplace(self, document): cmd = CommandLines().cmd() ipAddr = testProxy(cmd,0) end_time = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()) report_time = time.strftime("%Y-%m-%d %H:%M", time.localtime()) main_url = DatabaseType(self.projectTag).getURLfromDB() parse_url = urlparse(main_url) host = parse_url.netloc projectDBPath = DatabaseType(self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select id from js_file" cursor.execute(sql) js_all_files = cursor.fetchall() js_num = len(js_all_files) sql = "select path from js_file" cursor.execute(sql) jsfilelist = cursor.fetchall() js_paths='' for js in jsfilelist: jspath = "◆ " + js[0] + "\n" js_paths = js_paths + jspath sql ="select id from api_tree where success = 1 or success = 2" cursor.execute(sql) api_list = cursor.fetchall() api_num = len(api_list) vuln_infos = Docx_replace(self.projectTag).vuln_judge() vuln_h_num = vuln_infos[1] vuln_m_num = vuln_infos[2] vuln_l_num = vuln_infos[3] vuln_num = vuln_h_num + vuln_m_num + vuln_l_num vuln_score = vuln_infos[0] if vuln_score >= 18: sec_lv = Utils().getMyWord("{risk_h}") elif vuln_score < 18 and vuln_score >= 10: sec_lv = Utils().getMyWord("{risk_m}") elif vuln_score < 10 and vuln_score >= 5: sec_lv = Utils().getMyWord("{risk_l}") else: sec_lv = Utils().getMyWord("{risk_n}") sql = "select vaule from info where name='time'" cursor.execute(sql) time_in_info = cursor.fetchone() timeArray = time.localtime(int(time_in_info[0])) start_time = time.strftime("%Y-%m-%d %H:%M:%S", timeArray) type = CommandLines().cmd().type if type == "simple": scan_type = Utils().getMyWord("{mode_simple}") else: scan_type = Utils().getMyWord("{mode_adv}") scan_min = int(end_time.split(":")[-2]) - int(start_time.split(":")[-2]) if int(scan_min) >= 1: end_time_one = int(end_time.split(":")[-1]) + int(scan_min) * 60 scan_time = int(end_time_one) - int(start_time.split(":")[-1]) else: scan_time = int(end_time.split(":")[-1]) - int(start_time.split(":")[-1]) vuln_list = '' sql = "select id from vuln where type='unAuth'" cursor.execute(sql) num_auth = cursor.fetchall() if len(num_auth) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_unauth_num}") + str(len(num_auth)) + Utils().getMyWord("{ge}") + "\n" sql = "select id from vuln where type='CORS'" cursor.execute(sql) num_cors = cursor.fetchall() if len(num_cors) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_cors_num}") + str(len(num_cors)) + Utils().getMyWord("{ge}") + "\n" sql = "select id from vuln where type='INFO'" cursor.execute(sql) num_info = cursor.fetchall() if len(num_info) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_info_num}") + str(len(num_info)) + Utils().getMyWord("{ge}") + "\n" sql = "select id from vuln where type='passWord'" cursor.execute(sql) num_passWord = cursor.fetchall() if len(num_passWord) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_passWord_num}") + str(len(num_passWord)) + Utils().getMyWord("{ge}") + "\n" sql = "select id from vuln where type='BAC'" cursor.execute(sql) num_BAC = cursor.fetchall() if len(num_BAC) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_BAC_num}") + str(len(num_BAC)) + Utils().getMyWord("{ge}") + "\n" sql = "select id from vuln where type='upLoad'" cursor.execute(sql) num_upload = cursor.fetchall() if len(num_upload) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_upload_num}") + str( len(num_upload)) + Utils().getMyWord( "{ge}") + "\n" sql = "select id from vuln where type='SQL'" cursor.execute(sql) num_sql = cursor.fetchall() if len(num_sql) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_sql_num}") + str( len(num_sql)) + Utils().getMyWord( "{ge}") + "\n" cookies = CommandLines().cmd().cookie if cookies: extra_cookies = cookies else: extra_cookies = Utils().getMyWord("{no_extra_cookies}") head = CommandLines().cmd().head if head != "Cache-Control:no-cache": extra_head = head else: extra_head = Utils().getMyWord("{no_extra_head}") try: DICT = { "{report_number}": "PF-API-" + self.projectTag, "{report_date}": "%s" % (report_time), "{target_host}": "%s" % (host), "{target_url}": "%s" % (main_url), "{js_num}": "%s" % (js_num), "{start_time}": "%s" % (start_time), "{scan_time}" :"%s" % (scan_time), "{scan_type}": "%s" % (scan_type), "{api_num}": "%s" % (api_num), "{vuln_num}": "%s" % (vuln_num), "{vuln_h_num}": "%s" % (vuln_h_num), "{vuln_m_num}": "%s" % (vuln_m_num), "{vuln_l_num}": "%s" % (vuln_l_num), "{unauth_vuln}": "%s" % ("unauth_vuln"), "{vuln_list}": "%s" % (vuln_list), "{scan_ip}": "%s" % (ipAddr), "{extra_cookies}": "%s" % (extra_cookies), "{extra_head}": "%s" % (extra_head) } self.log.debug("word—report正常替换") except Exception as e: self.log.error("[Err] %s" % e) for table in document.tables: for row in range(len(table.rows)): for col in range(len(table.columns)): for key, value in DICT.items(): if key in table.cell(row, col).text: table.cell(row, col).text = table.cell(row, col).text.replace(key, value) for para in document.paragraphs: for i in range(len(para.runs)): for key, value in DICT.items(): if key in para.runs[i].text: para.runs[i].text = para.runs[i].text.replace(key, value) for para in document.paragraphs: for i in range(len(para.runs)): if "{js_list}" in para.runs[i].text: para.runs[i].text = para.runs[i].text.replace("{js_list}", "%s" % (js_paths)) para.runs[i].font.size = Pt(10) para.runs[i].font.name = "Arial" for para in document.paragraphs: for i in range(len(para.runs)): if "{end_time}" in para.runs[i].text: para.runs[i].text = para.runs[i].text.replace("{end_time}", "%s" % (end_time)) for para in document.paragraphs: for i in range(len(para.runs)): if "{sec_lv}" in para.runs[i].text: para.runs[i].text = para.runs[i].text.replace("{sec_lv}", "%s" % (sec_lv)) para.runs[i].font.size = Pt(14) if sec_lv == Utils().getMyWord("{risk_n}"): para.runs[i].font.color.rgb = RGBColor(139,137,137) elif sec_lv == Utils().getMyWord("{risk_l}"): para.runs[i].font.color.rgb = RGBColor(46, 139,87) elif sec_lv == Utils().getMyWord("{risk_m}"): para.runs[i].font.color.rgb = RGBColor(205, 55, 0) elif sec_lv == Utils().getMyWord("{risk_h}"): para.runs[i].font.color.rgb = RGBColor(238, 0, 0) try: Creat_vuln_detail(self.projectTag).creat_detail(document) self.log.debug("正确获取vuln_detail替换内容") except Exception as e: self.log.error("[Err] %s" % e) try: Creat_api(self.projectTag).creat_api(document) self.log.debug("正确获取api替换内容") except Exception as e: self.log.error("[Err] %s" % e) try: Creat_suggest(self.projectTag).creat_suggest(document) self.log.debug("正确获取suggest替换内容") except Exception as e: self.log.error("[Err] %s" % e) return document
def __init__(self , logger=None): self.logger = logging.getLogger(logger) self.logger.setLevel(logging.NOTSET) self.log_time = time.strftime("%Y_%m_%d_") self.log_name = "logs" + os.sep + Utils().creatTag(6) + ".log"
def parseStart(self): projectTag = Utils().creatTag(6) if self.options.silent != None: print("[TAG]" + projectTag) DatabaseType(projectTag).createDatabase() ParseJs(projectTag, self.url, self.options).parseJsStart() checkResult = CheckPacker(projectTag, self.url, self.options).checkStart() if checkResult == 1 or checkResult == 777: #打包器检测模块 if checkResult != 777: #确保检测报错也能运行 creatLog().get_logger().info( "[!] " + Utils().getMyWord("{check_pack_s}")) RecoverSpilt(projectTag, self.options).recoverStart() else: creatLog().get_logger().info("[!] " + Utils().getMyWord("{check_pack_f}")) Apicollect(projectTag, self.options).apireCoverStart() apis = DatabaseType(projectTag).apiPathFromDB() # 从数据库中提取出来的api self.codes = ApiResponse(apis, self.options).run() DatabaseType(projectTag).insertResultFrom(self.codes) getPaths = DatabaseType(projectTag).sucesssPathFromDB() # 获取get请求的path getTexts = ApiText(getPaths, self.options).run() # 对get请求进行一个获取返回包 postMethod = DatabaseType( projectTag).wrongMethodFromDB() # 获取post请求的path if len(postMethod) != 0: postText = PostApiText(postMethod, self.options).run() DatabaseType(projectTag).insertTextFromDB(postText) DatabaseType(projectTag).insertTextFromDB(getTexts) if self.options.type == "adv": creatLog().get_logger().info("[!] " + Utils().getMyWord("{adv_start}")) creatLog().get_logger().info(Utils().tellTime() + Utils().getMyWord("{beauty_js}")) BeautyJs(projectTag).rewrite_js() creatLog().get_logger().info(Utils().tellTime() + Utils().getMyWord("{fuzzer_param}")) FuzzerParam(projectTag).FuzzerCollect() creatLog().get_logger().info(Utils().tellTime() + Utils().getMyWord("{response_end}")) vulnTest(projectTag, self.options).testStart(self.url) if self.options.type == "adv": vulnTest(projectTag, self.options).advtestStart(self.options) if self.options.ext == "on": creatLog().get_logger().info("[+] " + Utils().getMyWord("{ext_start}")) loadExtensions(projectTag, self.options).runExt() creatLog().get_logger().info("[-] " + Utils().getMyWord("{ext_end}")) CreateReport(projectTag).create_repoter() creatLog().get_logger().info("[-] " + Utils().getMyWord("{all_end}"))
def run(self): print(Utils().tellTime() + "Hello Bonjour Hola 你好 こんにちは")
def createProjectDatabase(self, url, type, cloneTag): if type == 1: typeValue = "simple" else: typeValue = "adv" unixTime = int(time.time()) res = urlparse(url) domain = res.netloc if ":" in domain: domain = str(domain).replace(":", "_") PATH = "tmp/" + self.projectTag + "_" + domain + '/' + self.projectTag + ".db" try: if Utils().creatSometing(2, PATH) == 1: connect = sqlite3.connect(os.sep.join(PATH.split('/'))) cursor = connect.cursor() connect.isolation_level = None cursor.execute('''CREATE TABLE if not exists info( name TEXT PRIMARY KEY NOT NULL, vaule TEXT );''') cursor.execute('''CREATE TABLE if not exists js_file( id INTEGER PRIMARY KEY autoincrement, name TEXT NOT NULL, path TEXT , local TEXT , success INT , spilt INT );''') cursor.execute('''CREATE TABLE if not exists js_split_tree( id INTEGER PRIMARY KEY autoincrement, jsCode TEXT , js_name TEXT , js_result TEXT , success INT );''') cursor.execute('''CREATE TABLE if not exists api_tree( id INTEGER PRIMARY KEY autoincrement, path TEXT , name TEXT NOT NULL, option TEXT , result TEXT , success INT , from_js INT );''') cursor.execute('''CREATE TABLE if not exists vuln( id INTEGER PRIMARY KEY autoincrement, api_id INT NOT NULL, js_id INT NOT NULL, type TEXT , sure INT , request_b TEXT , response_b TEXT , response_h TEXT , des TEXT );''') cursor.execute("insert into info values('time', '%s')" % (unixTime)) cursor.execute("insert into info values('url', '%s')" % (url)) cursor.execute("insert into info values('host','%s')" % (domain)) cursor.execute("insert into info values('type', '%s')" % (typeValue)) cursor.execute("insert into info values('tag', '%s')" % (self.projectTag)) cursor.execute("insert into info (name) VALUES ('clone')") connect.commit() connect.close() conn2 = sqlite3.connect(os.getcwd() + os.sep + "main.db") cursor2 = conn2.cursor() conn2.isolation_level = None sql = "INSERT into project (tag,host,time) VALUES ('" + self.projectTag + "', '" + domain + "', " + str( unixTime) + ")" cursor2.execute(sql) conn2.commit() conn2.close() self.log.debug("数据库创建成功") except Exception as e: self.log.error("[Err] %s" % e)
def __init__(self,projectTag): docLang = Utils().getMyWord("{lang}") self.projectTag = projectTag self.tmp_filepath = "doc" + os.sep + "template" + os.sep + docLang + ".docx" self.new_filepath = "reports" + os.sep + "tmp_" + self.projectTag + ".docx" self.log = creatLog().get_logger()